What is a SOC provider?

What SOC providers do, where monitoring ends, and what buyers usually still need to own.

12 min

Definition

A SOC provider is a third-party organization that delivers security operations center work as a managed service. Instead of building a full in-house SOC, the buyer uses an outside team for some or all of the monitoring, triage, investigation, and response work.

The important question is not whether a provider calls itself SOC, MDR, MSSP, XDR, or SOCaaS. The important question is what happens after an alert:

Do they only forward the alert?
Do they investigate and explain what happened?
Can they contain the threat for you?
Do they operate enough of the SOC function that your team owns less day-to-day work?

That handoff is the core of the market.

Types of SOC Providers

The same provider can fit more than one label, and vendors often use the labels loosely. Use them as starting points, then check the actual scope.

Model	What it usually means	Buyer still needs to check
MSSP	Broad managed security services, often including monitoring, alerting, firewall management, vulnerability scanning, or compliance reporting.	Whether alerts are only forwarded or actually investigated.
Managed SIEM	SIEM operation, log ingestion, alert rules, dashboards, and escalation.	Who tunes detections, investigates alerts, and responds after escalation.
MDR	Managed detection and response, often built around endpoint, identity, cloud, or XDR telemetry.	What response actions are included and whether the provider uses your tools or theirs.
SOCaaS	A broader outsourced SOC function covering monitoring, triage, investigation, reporting, and response workflows.	How dedicated the analyst team is and where the provider stops during incidents.
Co-managed SOC	Your team keeps tooling and ownership; the provider adds analysts, coverage, or specialist help.	Which hours, queues, detections, and response actions are shared.
XDR-led service	Managed service wrapped around a specific XDR platform.	Whether the platform covers your real environment or mainly the vendor’s own stack.

What SOC Providers Cover

Most SOC providers cover some mix of these functions. A lighter provider may include only the first two. A fuller provider may own most of the list.

Monitoring: watching security telemetry from endpoints, identity systems, cloud services, network controls, email, SaaS applications, and logs.
Triage: filtering noisy alerts and deciding which events need human attention.
Investigation: determining scope, affected assets, root cause, and likely business impact.
Response: isolating hosts, disabling accounts, blocking indicators, or guiding your team through containment.
Threat hunting: looking for suspicious behavior that did not trigger a normal alert.
Detection engineering: writing, tuning, and maintaining rules so the service improves over time.
Reporting: giving incident summaries, trend reports, and evidence for compliance or executive review.

What Buyers Often Still Own

Outsourcing does not remove every internal responsibility. In many engagements, the buyer still owns:

business decisions during a serious incident
access approvals and change management
asset ownership and environment context
remediation work outside the provider’s control
legal, communications, and executive decisions
validating that the provider’s detections match the buyer’s risk

This is why the service boundary matters. A provider can be useful and still leave meaningful work with your team.

Why Organizations Outsource

The common reason is not just cost. It is coverage, staffing, and operating maturity.

Coverage: few internal teams can cover nights, weekends, and holidays without burning out.
Hiring: experienced SOC analysts, detection engineers, and incident responders are hard to recruit and retain.
Tooling: SIEM, EDR, threat intelligence, case management, and log storage can become expensive and complex.
Process: mature triage, escalation, and incident workflows take time to build.
Compliance: cyber insurance, SOC 2, HIPAA, PCI DSS, ISO 27001, or customer requirements may require monitoring evidence.

Outsourcing is not automatically better than building. It is usually a tradeoff: faster coverage and more external expertise, but less direct control and more dependence on the provider’s workflow.

How to evaluate a SOC provider

Start with the work you need owned. Then test whether the provider can actually own it.

Define the handoff. Ask what they do after a confirmed alert: notify, investigate, advise, contain, or fully manage the incident workflow.
Check telemetry fit. Confirm which sources they monitor: endpoint, cloud, identity, network, email, SaaS, OT, logs, or your existing SIEM.
Inspect sample output. Ask for sample alert writeups, investigation notes, and incident reports. The output should be specific enough for your team to act.
Test detection quality. Ask how detections are created, tuned, mapped to MITRE ATT&CK, and improved from real incidents.
Clarify tooling. Understand whether they require their own platform or can work with your existing stack.
Clarify response authority. Decide which actions they can take without approval and which actions need your sign-off.
Review onboarding. Ask how long it takes to connect data sources, tune alerts, document escalation paths, and reach normal operations.
Compare pricing drivers. Watch for endpoint count, log volume, data retention, cloud accounts, response scope, and add-on services.

Questions to ask before buying

What exactly happens after a high-severity alert?
Which response actions are included in the base service?
Which tools or data sources are required before the service works well?
How are false positives tuned during the first 30 to 90 days?
Can we see an example of a real investigation report with sensitive details removed?
Who owns detection gaps discovered during onboarding?
How is pricing affected by log volume, endpoints, cloud assets, and retention?
What happens if we need incident response beyond the managed service scope?

The right provider is the one whose service boundary matches your team’s capacity. A small IT team may need more ownership from the provider. A mature security team may only need off-hours coverage, threat hunting, managed SIEM, or extra investigation capacity.

Questions

What does a SOC provider do?

A SOC provider delivers security operations center capabilities as a managed service, including 24/7 monitoring, threat detection, incident investigation, and response. They essentially serve as an outsourced or co-managed extension of your security team.

How much does a SOC provider cost?

SOC provider pricing varies widely based on service type and organization size. MDR services typically range from $10-25 per endpoint per month, while comprehensive MSSP or SOCaaS engagements can range from $5,000 to $50,000+ per month depending on scope, log volume, and required capabilities.

What is the difference between a SOC provider and an MSSP?

MSSP is a broad category that encompasses any provider offering managed security services. SOC providers specifically focus on security operations — monitoring, detection, and response. Many MSSPs offer SOC services, but they may also provide other managed security capabilities like firewall management, vulnerability scanning, and compliance reporting.